JetBrains TeamCity Authentication Bypass Vulnerabilities | SonicWall

Overview

The SonicWall Capture Labs threat research team became aware of a couple of noteworthy vulnerabilities — an authentication bypass vulnerability and a path traversal vulnerability — in JetBrains TeamCity, assessed their impact and developed mitigation measures for them. TeamCity, a build management and continuous integration server, published an advisory on these vulnerabilities which affect versions before 2023.11.4. Considering the sizeable user base as well as the low attack complexity, TeamCity users are strongly encouraged to upgrade their instances to the latest versions with utmost priority.

CVE Details

Authentication Bypass Vulnerability

The authentication bypass vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-27198.

The CVSS score is 9.8 based on the metrics (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Path Traversal Vulnerability

The path traversal vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-27199.

The CVSS score is 7.3 based on the metrics (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Technical Overview

CVE-2024-27198

This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted request to the web server. The flaw is in the functionality of the jetbrains.buildServer.controllers.BaseController class of the web-openapi.jar library. As seen in the code shared by rapid7 in Figure 1, if a request is served by the handleRequestInternal method in the BaseController class and not redirected by issuing 302 status code, then it will lead to execution of the updateViewIfRequestHasJspParameter method.

Figure 1: handleRequestInternal method of BaseController class, source: rapid7

Another piece of code, as seen in Figure 2, defining the method updateViewIfRequestHasJspParameter reveals that the unauthenticated attacker needs to make sure that the modelAndView has a name and does not terminate with .jsp. Requesting a non-existent URI that generates a 404 response and renders a /404.html page would result in the variable isControllerRequestWithViewName becoming true and the method getJspFromRequest will be called.

Figure 2: updateViewIfRequestHasJspParameter method, source: rapid7

The method getJspFromRequest is the one that captured the imagination of the attackers as it allows them to render an arbitrary endpoint by specifying the value in a parameter named jsp, as seen in Figure 3. Although it does not only require the endpoints to terminate with .jsp but also makes sure that it does not contain the confined path /admin/, the parameters can be tricked to access the arbitrary endpoints by an unauthenticated threat actor which normally requires authentication. 

Figure 3: getJspFromRequest method, source: rapid7

CVE-2024-27199

This vulnerability allows the threat actors to gain unauthenticated access to a limited number of authenticated endpoints due to a path traversal issue present in some of the endpoints such as /res/, /update/ and /.well-known/acme-challenge/. The attacker can make use of those paths along with path traversal vectors to reach other restricted endpoints by circumventing the authentication checks.

Triggering the Vulnerability

CVE-2024-27198

Leveraging this authentication bypass vulnerability requires the attacker to meet the following requisites:

  1. Render a 404 response by requesting a non-existing path, for instance, /sw
  2. Set a value of jsp query parameter in the request to the desired path which requires authentication, for example, ?jsp=/app/rest/server
  3. Make sure the crafted URI terminates with .jsp. The path can be ended by appending an HTTP path parameter or a query string segment such as ;.jsp or ?.jsp

The example request would look like, http[:]//sw-test[.]local:8111/sw?jsp=/app/rest/server?.jsp

Accessing the authenticated endpoint /app/rest/server by exploiting this vulnerability is demonstrated in the video below.

CVE-2024-27199

Triggering this path traversal vulnerability requires the threat actor to send a crafted request utilizing the endpoints discussed in the overview section to reach number of pages that may expose sensitive information and/or let the attacker alter system configurations. For instance, the video illustrating the unauthenticated access to some of the endpoints /app/https/settings/certificateInfo and /admin/diagnostic.jsp is shown below.

Exploitation

CVE-2024-27198

Exploitation of this vulnerability yields the attacker a commanding position over a TeamCity server by adding a new admin user, as seen in the video below, and complete control over builds and projects hosted on the server which can open the door for them to execute a sophisticated supply chain attack.

CVE-2024-27199

Exploitation of this vulnerability yields the attacker sensitive information as well as the ability to modify some of the server configurations such as uploading a custom HTTPS certificate and specifying the listening port for the HTTPS service using a self-signed certificate.

This flaw can be exploited by nefarious attackers to execute either a denial-of-service (DoS) attack by modifying the HTTPS listening port or a man-in-the-middle (MITM) attack, since the attacker owns the private key of the modified certificate.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

CVE-2024-27198

  • IPS: 15969 and 15970

CVE-2024-27198

  • IPS: 15966, 15967 and 15968

Remediation Recommendations

Considering the severe consequences of this vulnerability as well as the reports of mass-generation of admin accounts using the exploit, users are strongly encouraged to upgrade their instances as published in the vendor advisory.

Relevant Links

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Source: Original Post


“An interesting youtube video that may be related to the article above”